How to backup the group signer key

another_Tobias · December 3, 2024, 5:18pm

Hi there,

Scenario:
“PKA with XKEK.
Key custodians receive their own HSMs, each configured with a PIN but without a security domain.”

I want to add a group signer for XKEK on the same key configured with PKA, but I’m not sure how to create a backup key (as hardware failure protection).

When using SCS with the wrap option, the key cannot be exported.
The pkcs15-tool shows the following access flags: 0x1D, sensitive, alwaysSensitive, neverExtract, local.

Does this mean my only option is to create a separate security domain with DKEK, generate the group signer key within that domain, and then wrap it?

Thanks and best regards,
Tobias

sc-hsm · December 4, 2024, 8:04am

There is nothing special with the group signer key, it’s just an ECC key that can sign key domain memberships. To keep a backup of this key you can create a DKEK key domain and take care of the shares using an organizational procedure.

Typically you have several organizations when using XKEK key domain in a layered approach, like in the key management for the “Urkundenarchiv” of the German Notaries. There you have multiple XKEK key domains that control key management in the notaries, the chamber and the operator. But at the top you always have a DKEK key domain for the root group signer.